2. Index:
• Introduction to Application Layer
• Types of Application Layer Protocols
• Security-Enhanced Application Layer Protocol
• Authentication & Key Distribution System
• AKA in CDMA & UMTS
• Layering Security Protocol above the Application Layer
Prof. Kirti Ahirrao 2
3. Application
Layer
• It is an abstraction layer.
• It specifies the
shared communications protocols.
• It uses interface methods
by hosts in a communications
network.
• The application layer abstraction
used in both of the standard models
: TCP/IP suite & OSI model.
Prof. Kirti Ahirrao 3
4. Application
Layer
• It is the closest layer to the end user,
• It provides hackers with the largest threat
surface.
• Poor app layer security can lead to
performance and stability issues, data theft,
and in some cases the network being taken
down.
• Application layer attacks include distributed
denial-of-service attacks (DDoS) attacks,
HTTP floods, SQL injections, cross-site
scripting, parameter tampering.
• Most organizations have application layer
security protections, such as web
application firewalls (WAFs), secure web
gateway services, and others.
Prof. Kirti Ahirrao 4
5. Types of Application Layer Protocol
• Remote login to hosts: Telnet.
• File transfer: File Transfer Protocol (FTP) & Trivial File Transfer
Protocol (TFTP).
• Electronic mail transport: Simple Mail Transfer Protocol (SMTP).
• Networking support: Domain Name System (DNS).
• Host initialization: BOOTP.
• Remote host management: Simple Network Management
Protocol (SNMP), Common Management Information Protocol over TCP
(CMOT).
Prof. Kirti Ahirrao 5
6. Security-Enhanced Application Layer Protocol
• Secure Shell (SSH) is a widely used and deployed protocol that serves as a secure replacement for
terminal access and file transfer.
• DNS Security, or DNSSEC in short, refers to a set of security extensions and enhancements for DNS.
• Furthermore, there are several cryptographic file systems that have been developed and proposed in
the past, e.g: Cryptographic File System (CFS) and the Andrew File System (AFS).
• The starting point was the specification of the Secure Hypertext Transfer Protocol (S-HTTP) that had
been developed and was originally proposed by Eric Rescorla and Allan Schiffman on behalf of the
CommerceNet consortium in the early 1990s.
• S-HTTP version 1.0 was publicly released in June 1994 and distributed by the CommerceNet
consortium.
• Since 1995, the S-HTTP specification has been further refined under the auspices of the IETF WTS
WG.
Prof. Kirti Ahirrao 6
7. Authentication & Key Agreement System(AKA)
• It is a security protocol used in 3G networks.
• It is used for one-time password generation mechanism
for digest access authentication.
• AKA is a challenge-response based mechanism that uses symmetric cryptography.
• AKA also called as 3G Authentication or Enhanced Subscriber Authorization (ESA).
• AKA works in CDMA(Code Division Multiplex Access) & UMTS(Universal Mobile
telecommunications System).
Prof. Kirti Ahirrao 7
8. AKA in CDMA
1. It provides procedures for mutual authentication of the Mobile Station (MS) and serving system.
2. The successful execution of AKA results in the establishment of a security association (i.e., set of
security data) between the MS and serving system that enables a set of security services to be
provided.
3. Major advantages of AKA over CAVE-based authentication include:
• Larger authentication keys (128-bit )
• Stronger hash function (SHA-1)
• Support for mutual authentication
• Support for signaling message data integrity
• Support for signaling information encryption
• Support for user data encryption
Prof. Kirti Ahirrao 8
9. AKA in UMTS
• This performs authentication and session key distribution
in Universal Mobile Telecommunications System (UMTS) networks.
• It is a challenge-response based mechanism that uses symmetric
cryptography.
• It is typically run in a UMTS IP Multimedia Services Identity
Module (ISIM), which is an application on a UICC (Universal
Integrated Circuit Card).
• AKA is defined in RFC 3310
Prof. Kirti Ahirrao 9
10. Layered Security Protocol
• Layered security, also known as layered defense.
• It describes the practice of combining multiple mitigating security controls to protect resources and
data.
• Layered security can be used in any environment, from military operations, to individuals, and
community residents (homeowners, neighborhood watch groups, etc).
• In other words, "layered security is the practice of using many different security controls at different
levels to protect assets.
• This provides strength and depth to reduce the effects of a threat.
• Your goal is to create redundancies (backups) in case security measures fail, are bypassed, or
defeated. Placing assets in the innermost perimeter will provide layers of security measures at
increasing distances from the protected asset.
• The number of layers and the security measures you use, will depend on the threat and importance
of the asset".
Prof. Kirti Ahirrao 10